From 6e0080fc57654fac967b67cdfc4f3764c5acdae3 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Wed, 22 Nov 2023 06:00:24 +0300 Subject: [PATCH] remove nixos-vps --- flake.nix | 10 - machines/NixOS-VPS/default.nix | 172 ---------------- machines/NixOS-VPS/disko.nix | 74 ------- machines/NixOS-VPS/hardware/default.nix | 41 ---- machines/NixOS-VPS/hardware/networks.nix | 95 --------- machines/NixOS-VPS/network.nix | 65 ------ machines/NixOS-VPS/nix.nix | 39 ---- machines/NixOS-VPS/services/backups.nix | 26 --- machines/NixOS-VPS/services/dns.nix | 228 --------------------- machines/NixOS-VPS/services/tailscale.nix | 21 -- machines/NixOS-VPS/services/tor-bridge.nix | 43 ---- machines/NixOS-VPS/services/wireguard.nix | 128 ------------ machines/NixOS-VPS/services/xtls.nix | 45 ---- machines/NixOS-VPS/system | 1 - 14 files changed, 988 deletions(-) delete mode 100644 machines/NixOS-VPS/default.nix delete mode 100644 machines/NixOS-VPS/disko.nix delete mode 100644 machines/NixOS-VPS/hardware/default.nix delete mode 100644 machines/NixOS-VPS/hardware/networks.nix delete mode 100644 machines/NixOS-VPS/network.nix delete mode 100644 machines/NixOS-VPS/nix.nix delete mode 100644 machines/NixOS-VPS/services/backups.nix delete mode 100644 machines/NixOS-VPS/services/dns.nix delete mode 100644 machines/NixOS-VPS/services/tailscale.nix delete mode 100644 machines/NixOS-VPS/services/tor-bridge.nix delete mode 100644 machines/NixOS-VPS/services/wireguard.nix delete mode 100644 machines/NixOS-VPS/services/xtls.nix delete mode 100644 machines/NixOS-VPS/system diff --git a/flake.nix b/flake.nix index 5f34611..629a070 100644 --- a/flake.nix +++ b/flake.nix @@ -139,15 +139,6 @@ specialArgs = { inherit inputs; }; }; in (genAttrs hostnames mkHost) // { - NixOS-VPS = { - system = builtins.readFile (./machines/NixOS-VPS/system); - modules = [ - (import (./machines/NixOS-VPS)) - { device = "NixOS-VPS"; mainuser = "ataraxia"; } - ]; - specialArgs = { inherit inputs; }; - channelName = "stable"; - }; }; nixosHostsCI = builtins.listToAttrs (map (name: { @@ -243,7 +234,6 @@ }; }; in builtins.mapAttrs mkDeploy { - NixOS-VPS = { hostname = "193.219.97.142"; }; Home-Hypervisor = { hostname = "192.168.0.10"; }; Dell-Laptop = { hostname = "192.168.0.101"; }; }; diff --git a/machines/NixOS-VPS/default.nix b/machines/NixOS-VPS/default.nix deleted file mode 100644 index 3478910..0000000 --- a/machines/NixOS-VPS/default.nix +++ /dev/null @@ -1,172 +0,0 @@ -{ modulesPath, inputs, lib, pkgs, config, ... }: { - imports = with inputs.self; [ - (modulesPath + "/profiles/qemu-guest.nix") - (modulesPath + "/profiles/minimal.nix") - inputs.disko.nixosModules.disko - - ./hardware - ./network.nix - ./nix.nix - ./services/backups.nix - ./services/dns.nix - ./services/tailscale.nix - ./services/tor-bridge.nix - ./services/wireguard.nix - ./services/xtls.nix - - customModules.devices - customModules.users - - customProfiles.hardened - customProfiles.overlay - ]; - - # disko.devices = import ./disko.nix { inherit lib; }; - - # Misc - boot = { - supportedFilesystems = [ "vfat" "btrfs" ]; - kernelModules = [ "tcp_bbr" "veth" "x_tables" ]; - kernelParams = [ - "scsi_mod.use_blk_mq=1" - "kvm.ignore_msrs=1" - "kvm.report_ignored_msrs=0" - ]; - kernel.sysctl = { - "vm.swappiness" = 50; - "vm.vfs_cache_pressure" = 200; - "vm.dirty_background_ratio" = 1; - "vm.dirty_ratio" = 40; - "vm.page-cluster" = 0; - "net.ipv4.tcp_congestion_control" = "bbr"; - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.core.default_qdisc" = "cake"; - # "net.core.default_qdisc" = "fq"; - }; - loader.grub = { - devices = [ "/dev/sda" ]; - efiSupport = true; - efiInstallAsRemovable = true; - }; - }; - zramSwap = { - enable = true; - algorithm = "zstd"; - memoryPercent = 100; - }; - - deviceSpecific.isServer = true; - services.journald.extraConfig = "Compress=false"; - nix.optimise.automatic = false; - nix.distributedBuilds = lib.mkForce false; - hardware.enableRedistributableFirmware = true; - environment.noXlibs = lib.mkForce false; - fonts.enableDefaultFonts = lib.mkForce false; - # fonts.fonts = [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ]; - security.polkit.enable = true; - # security.pam.enableSSHAgentAuth = true; - environment.systemPackages = with pkgs; [ - bat - bottom - comma - git - kitty - micro - nix-index-update - pwgen - ]; - - # Locale - i18n.defaultLocale = "en_GB.UTF-8"; - i18n.extraLocaleSettings = { - LANGUAGE = "en_GB.UTF-8"; - LC_ALL = "en_GB.UTF-8"; - LC_TIME = "en_GB.UTF-8"; - LC_ADDRESS = "ru_RU.UTF-8"; - LC_MONETARY = "ru_RU.UTF-8"; - LC_PAPER = "ru_RU.UTF-8"; - }; - environment.sessionVariables = { - XKB_DEFAULT_LAYOUT = "us,ru"; - XKB_DEFAULT_OPTIONS = "grp:win_space_toggle"; - LANGUAGE = "en_GB.UTF-8"; - LC_ALL = "en_GB.UTF-8"; - }; - - # Hardened - networking.firewall = { - enable = true; - allowPing = false; - allowedTCPPorts = lib.mkDefault [ ]; - allowedUDPPorts = lib.mkDefault [ ]; - }; - systemd.coredump.enable = false; - programs.firejail.enable = true; - - # Users - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.PermitRootLogin = lib.mkForce "prohibit-password"; - settings.X11Forwarding = false; - extraConfig = "StreamLocalBindUnlink yes"; - ports = [ 22 ]; - }; - users.mutableUsers = false; - users.users = { - ${config.mainuser} = { - isNormalUser = true; - extraGroups = [ "disk" "systemd-journal" "wheel" ]; - uid = 1000; - hashedPassword = - "$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6"; - shell = pkgs.bash; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation" - ]; - }; - deploy = { - description = "The administrator account for the servers."; - isNormalUser = true; - extraGroups = [ "wheel" ]; - openssh.authorizedKeys.keys = - config.users.users.${config.mainuser}.openssh.authorizedKeys.keys; - }; - root.openssh.authorizedKeys.keys = - config.users.users.${config.mainuser}.openssh.authorizedKeys.keys; - }; - # Passwordless sudo for deploy user - security.sudo.extraRules = [{ - users = [ "deploy" ]; - commands = [{ - command = "ALL"; - options = [ "NOPASSWD" ]; - }]; - }]; - - # Podman - virtualisation = { - oci-containers.backend = lib.mkForce "podman"; - podman.enable = true; - podman.dockerSocket.enable = true; - containers.registries.search = [ - "docker.io" "gcr.io" "quay.io" - ]; - containers.storage.settings = { - storage = { - driver = "overlay"; - graphroot = "/var/lib/podman/storage"; - runroot = "/run/containers/storage"; - }; - }; - }; - security.unprivilegedUsernsClone = true; - - # Directory for some state files (like wireguard keys) - systemd.tmpfiles.rules = [ - "d /srv 0755 root root -" - ]; - - system.stateVersion = "23.05"; -} diff --git a/machines/NixOS-VPS/disko.nix b/machines/NixOS-VPS/disko.nix deleted file mode 100644 index b640ff0..0000000 --- a/machines/NixOS-VPS/disko.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ lib, disks ? [ "/dev/sda" ], ... }: { - disk = lib.genAttrs disks (dev: { - device = dev; - type = "disk"; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = [ "bios_grub" ]; - } - { - name = "ESP"; - start = "1MiB"; - end = "100MiB"; - bootable = true; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "100MiB"; - end = "-2G"; - part-type = "primary"; - bootable = true; - # content = { - # type = "filesystem"; - # format = "bcachefs"; - # extraArgs = [ - # "--block_size=8192" - # "--compression=zstd" - # "--discard" - # "--acl" - # ]; - # mountpoint = "/"; - # }; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/rootfs" = { - mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/home" = { - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - "/nix" = { - mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - }; - }; - } - { - name = "swap"; - start = "-2G"; - end = "100%"; - part-type = "primary"; - content = { - type = "swap"; - randomEncryption = true; - }; - } - ]; - }; - }); -} diff --git a/machines/NixOS-VPS/hardware/default.nix b/machines/NixOS-VPS/hardware/default.nix deleted file mode 100644 index a460999..0000000 --- a/machines/NixOS-VPS/hardware/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: { - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot.initrd.availableKernelModules = - [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ "kvm-amd" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0"; - fsType = "btrfs"; - options = [ "subvol=rootfs" "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - - fileSystems."/nix" = { - device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0"; - fsType = "btrfs"; - options = [ "subvol=nix" "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-partuuid/a9bc6629-2e9b-46e8-b482-aea8651d1949"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-partuuid/34c39dc8-07e8-4dd0-9c74-462d43c874d0"; - fsType = "btrfs"; - options = [ "subvol=home" "compress=zstd" "noatime" "autodefrag" "ssd" ]; - }; - - swapDevices = [{ - device = "/dev/disk/by-partuuid/a460e7c7-3005-4516-9a8e-f751082b8bb6"; - randomEncryption.enable = true; - randomEncryption.allowDiscards = true; - priority = 0; - }]; - - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; -} diff --git a/machines/NixOS-VPS/hardware/networks.nix b/machines/NixOS-VPS/hardware/networks.nix deleted file mode 100644 index ca06f9d..0000000 --- a/machines/NixOS-VPS/hardware/networks.nix +++ /dev/null @@ -1,95 +0,0 @@ -rec { - privateIPv6Prefix = "fd3a:900e:8e74:ffff"; - domain = "wg.ataraxiadev.com"; - - interfaces = { - # This is the public-facing interface. Any interface name with a prime - # symbol means it's a public-facing interface. - main' = { - bridgeName = "br0"; - ifname = "enp0s18"; - IPv4 = { - address = "193.219.97.142/26"; - gateway = "193.219.97.129"; - dns = [ "46.102.157.27" "46.102.157.42" ]; - }; - IPv6 = { - address = "2a0d:f302:128:3792::1/48"; - gateway = "2a0d:f302:127::1"; - dns = [ "2a0d:f302:99::99" "2a0d:f302:100::100" ]; - }; - }; - - wireguard0 = { - ifname = "wg0"; - dns = [ "${privateIPv6Prefix}::0:53" ]; - IPv4 = { - address = "10.100.0.1"; - subnet = "10.100.0.0/16"; - }; - IPv6 = { - address = "${privateIPv6Prefix}::1"; - subnet = "${privateIPv6Prefix}::0/64"; - }; - }; - }; - - # Wireguard-related things. - wireguardPort = 40820; - wireguardIPv4Prefix = "10.100.0"; - wireguardIPv6Prefix = "${privateIPv6Prefix}::0"; - wireguardPeers = { - server = with interfaces.wireguard0; { - IPv4 = IPv4.address; - IPv6 = IPv6.address; - }; - ataraxia = { - IPv4 = "${wireguardIPv4Prefix}.2"; - IPv6 = "${wireguardIPv6Prefix}:2"; - }; - hypervisor = { - IPv4 = "${wireguardIPv4Prefix}.3"; - IPv6 = "${wireguardIPv6Prefix}:3"; - }; - mikrotik = { - IPv4 = "${wireguardIPv4Prefix}.4"; - IPv6 = "${wireguardIPv6Prefix}:4"; - }; - poco = { - IPv4 = "${wireguardIPv4Prefix}.5"; - IPv6 = "${wireguardIPv6Prefix}:5"; - }; - kpoxa = { - IPv4 = "${wireguardIPv4Prefix}.6"; - IPv6 = "${wireguardIPv6Prefix}:6"; - }; - kpoxa2 = { - IPv4 = "${wireguardIPv4Prefix}.7"; - IPv6 = "${wireguardIPv6Prefix}:7"; - }; - faysss = { - IPv4 = "${wireguardIPv4Prefix}.8"; - IPv6 = "${wireguardIPv6Prefix}:8"; - }; - faysss2 = { - IPv4 = "${wireguardIPv4Prefix}.9"; - IPv6 = "${wireguardIPv6Prefix}:9"; - }; - faysss3 = { - IPv4 = "${wireguardIPv4Prefix}.10"; - IPv6 = "${wireguardIPv6Prefix}:a"; - }; - doste = { - IPv4 = "${wireguardIPv4Prefix}.11"; - IPv6 = "${wireguardIPv6Prefix}:b"; - }; - dell = { - IPv4 = "${wireguardIPv4Prefix}.12"; - IPv6 = "${wireguardIPv6Prefix}:c"; - }; - hypervisor-dns = { - IPv4 = "${wireguardIPv4Prefix}.13"; - IPv6 = "${wireguardIPv6Prefix}:d"; - }; - }; -} diff --git a/machines/NixOS-VPS/network.nix b/machines/NixOS-VPS/network.nix deleted file mode 100644 index 1e7fa04..0000000 --- a/machines/NixOS-VPS/network.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ config, ... }: -let - inherit (import ./hardware/networks.nix) interfaces domain; -in { - services.resolved.enable = true; - networking = { - enableIPv6 = true; - usePredictableInterfaceNames = true; - useDHCP = false; - dhcpcd.enable = false; - nftables.enable = false; # incompatible with tailscale and docker/podman - domain = domain; - }; - systemd.network = with interfaces.main'; { - enable = true; - wait-online.ignoredInterfaces = [ "lo" ]; - networks = { - "10-wan" = { - matchConfig.Name = ifname; - linkConfig.RequiredForOnline = "enslaved"; - networkConfig.Bridge = bridgeName; - networkConfig.DHCP = "no"; - networkConfig.LinkLocalAddressing = "no"; - networkConfig.IPv6AcceptRA = false; - }; - "20-${bridgeName}" = { - matchConfig.Name = bridgeName; - address = [ - IPv4.address IPv6.address - "192.168.0.1/24" "fc00::1/64" - ]; - linkConfig.RequiredForOnline = "routable"; - - domains = [ config.networking.domain ]; - networkConfig = { - DHCP = "no"; - IPForward = true; - IPv6PrivacyExtensions = true; - LinkLocalAddressing = "no"; - IPv6AcceptRA = false; - DNS = IPv4.dns ++ IPv6.dns; - }; - routes = [ - { - routeConfig.Gateway = IPv4.gateway; - routeConfig.GatewayOnLink = true; - } - { - routeConfig.Gateway = IPv6.gateway; - routeConfig.GatewayOnLink = true; - } - ]; - }; - }; - netdevs = { - "20-${bridgeName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeName; - MACAddress = "e6:95:b5:a6:28:c0"; - }; - }; - }; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/nix.nix b/machines/NixOS-VPS/nix.nix deleted file mode 100644 index 873af7d..0000000 --- a/machines/NixOS-VPS/nix.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, inputs, ... }: { - nix = { - nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ]; - registry.self.flake = inputs.self; - registry.nixpkgs.flake = inputs.nixpkgs; - optimise.automatic = lib.mkDefault true; - extraOptions = '' - builders-use-substitutes = true - experimental-features = nix-command flakes - flake-registry = ${inputs.flake-registry}/flake-registry.json - ''; - settings = { - auto-optimise-store = false; - require-sigs = true; - substituters = [ - "https://cache.nixos.org" - "https://nix-community.cachix.org" - "https://nixpkgs-wayland.cachix.org" - "https://hyprland.cachix.org" - "https://ataraxiadev-foss.cachix.org" - "https://cache.ataraxiadev.com/ataraxiadev" - "https://numtide.cachix.org" - ]; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" - "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" - "ataraxiadev-foss.cachix.org-1:ws/jmPRUF5R8TkirnV1b525lP9F/uTBsz2KraV61058=" - "ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs=" - "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE=" - ]; - trusted-users = [ "root" config.mainuser "@wheel" ]; - use-xdg-base-directories = true; - }; - }; - environment.etc.nixpkgs.source = inputs.nixpkgs; - environment.etc.self.source = inputs.self; -} diff --git a/machines/NixOS-VPS/services/backups.nix b/machines/NixOS-VPS/services/backups.nix deleted file mode 100644 index 28cdc69..0000000 --- a/machines/NixOS-VPS/services/backups.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, pkgs, lib, ... }: { - services.restic.backups.vps-data = { - initialize = true; - passwordFile = "/srv/restic-pass"; - repositoryFile = "/srv/restic-repo"; - paths = [ - "/srv" - "/var/lib/acme" - # "/var/lib/headscale" - "/var/lib/redis-unbound" - "/var/lib/tailscale" - "/var/lib/tor" - ]; - environmentFile = "${pkgs.writeText "restic.env" "GOMAXPROCS=1"}"; - extraBackupArgs = [ "--no-scan" ]; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - }; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-yearly 2" - ]; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/dns.nix b/machines/NixOS-VPS/services/dns.nix deleted file mode 100644 index 5d70f41..0000000 --- a/machines/NixOS-VPS/services/dns.nix +++ /dev/null @@ -1,228 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces; - wg = interfaces.wireguard0; - wgIfname = wg.ifname; - brIfname = interfaces.main'.bridgeName; -in { - # For debugging purposes - environment.systemPackages = with pkgs; [ tcpdump dnsutils ]; - services.resolved.extraConfig = '' - DNSStubListener=off - ''; - systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; - systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1"; - - networking.firewall = { - interfaces.${wgIfname} = { - allowedTCPPorts = [ - config.services.blocky.settings.ports.dns - config.services.grafana.settings.server.http_port - ]; - allowedUDPPorts = [ - config.services.blocky.settings.ports.dns - ]; - }; - }; - - # TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html) - services.unbound = { - enable = true; - package = pkgs.unbound-full; - settings = { - server = { - root-hints = "${config.services.unbound.stateDir}/root.hints"; - port = "553"; - interface = [ - "127.0.0.1" wg.IPv4.address - "::1" wg.IPv6.address - ]; - access-control = [ - "0.0.0.0/0 refuse" - "127.0.0.0/8 allow" - "${wg.IPv4.subnet} allow" - "::0/0 refuse" - "::1 allow" - "${wg.IPv4.subnet} allow" - ]; - private-address = [ - "127.0.0.0/8" - "${wg.IPv4.subnet}" - "::1" - "${wg.IPv4.subnet}" - ]; - hide-version = "yes"; - aggressive-nsec = "yes"; - cache-max-ttl = "86400"; - cache-min-ttl = "600"; - deny-any = "yes"; - do-ip4 = "yes"; - do-ip6 = "yes"; - do-tcp = "yes"; - do-udp = "yes"; - harden-algo-downgrade = "yes"; - harden-dnssec-stripped = "yes"; - harden-glue = "yes"; - harden-large-queries = "yes"; - harden-referral-path = "yes"; - harden-short-bufsize = "yes"; - hide-identity = "yes"; - minimal-responses = "yes"; - msg-cache-size = "128m"; - neg-cache-size = "4m"; - prefer-ip6 = "no"; - prefetch = "yes"; - prefetch-key = "yes"; - qname-minimisation = "yes"; - rrset-cache-size = "256m"; - rrset-roundrobin = "yes"; - serve-expired = "yes"; - so-rcvbuf = "4m"; - so-reuseport = "yes"; - so-sndbuf = "4m"; - unwanted-reply-threshold = "100000"; - use-caps-for-id = "yes"; - }; - cachedb = { - backend = "redis"; - redis-server-host = "127.0.0.1"; - redis-server-port = toString config.services.redis.servers.unbound.port; - redis-timeout = "300"; - redis-expire-records = "no"; - }; - }; - }; - services.redis.vmOverCommit = true; - services.redis.servers.unbound = { - enable = true; - port = 7379; - databases = 1; - save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ]; - settings = { - maxmemory = "16mb"; - protected-mode = true; - rdbchecksum = false; - stop-writes-on-bgsave-error = false; - tcp-keepalive = 300; - timeout = 0; - }; - }; - # TODO: maybe set internic ip address to hosts? - systemd.services.root-hints = { - script = '' - ${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root - ''; - serviceConfig.Type = "oneshot"; - startAt = "1 0 1 */1 *"; - }; - # Blocky + prometheus + grafana - services.blocky = { - enable = true; - settings = { - upstream.default = [ "127.0.0.1:553" "[::1]:553" ]; - upstreamTimeout = "10s"; - bootstrapDns = [{ - upstream = "https://dns.quad9.net/dns-query"; - ips = [ "9.9.9.9" "149.112.112.112" ]; - }]; - blocking = { - blackLists = { - ads = [ - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://github.com/RPiList/specials/raw/master/Blocklisten/malware" - ]; - telemetry = [ - "https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt" - "https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry" - "https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry" - ]; - }; - clientGroupsBlock.default = [ "ads" "telemetry" ]; - }; - # disable caching (use unbound) - caching = { - minTime = -1; - maxTime = -1; - cacheTimeNegative = -1; - prefetching = false; - }; - ports = { - dns = 53; - http = "127.0.0.1:4000"; - }; - prometheus.enable = true; - queryLog = { - type = "console"; - }; - }; - }; - services.prometheus = { - enable = true; - listenAddress = "127.0.0.1"; - globalConfig.scrape_interval = "15s"; - globalConfig.evaluation_interval = "15s"; - scrapeConfigs = [{ - job_name = "blocky"; - static_configs = [{ - targets = [ config.services.blocky.settings.ports.http ]; - }]; - }]; - }; - services.grafana = { - enable = true; - settings = { - analytics.reporting_enabled = false; - server = { - # domain = "${wg.IPv4.address}"; - # http_addr = "${wg.IPv4.address}"; - enable_gzip = true; - domain = "localhost"; - http_addr = "127.0.0.1"; - http_port = 3000; - }; - # Grafana can be accessed only through wireguard, so it's secure enough - security = { - admin_user = "admin"; - admin_password = "admin"; - # admin_password = "$__file(/var/secrets/grafana)"; - }; - panels.disable_sanitize_html = true; - }; - provision = { - enable = true; - datasources.settings = { - datasources = [{ - name = "Prometheus"; - type = "prometheus"; - access = "proxy"; - orgId = 1; - uid = "Y4SSG429DWCGDQ3R"; - url = "http://127.0.0.1:${toString config.services.prometheus.port}"; - isDefault = true; - jsonData = { - graphiteVersion = "1.1"; - tlsAuth = false; - tlsAuthWithCACert = false; - }; - version = 1; - editable = true; - }]; - }; - dashboards = { - settings = { - providers = [{ - name = "My Dashboards"; - options.path = "/etc/grafana-dashboards"; - }]; - }; - }; - }; - }; - environment.etc = { - "grafana-dashboards/blocky_rev3.json" = { - source = ../../../misc/grafana_blocky_rev3.json; - group = "grafana"; - user = "grafana"; - }; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/tailscale.nix b/machines/NixOS-VPS/services/tailscale.nix deleted file mode 100644 index b0d6ef5..0000000 --- a/machines/NixOS-VPS/services/tailscale.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, lib, ... }: -let - bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName; - tailscalePort = config.services.tailscale.port; - tailscaleIfname = config.services.tailscale.interfaceName; -in { - networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ]; - networking.firewall.trustedInterfaces = [ tailscaleIfname ]; - - systemd.network.networks."50-tailscale" = { - matchConfig.Name = tailscaleIfname; - linkConfig.Unmanaged = true; - linkConfig.ActivationPolicy = "manual"; - }; - - services.tailscale = { - enable = true; - port = 18491; - useRoutingFeatures = "both"; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/tor-bridge.nix b/machines/NixOS-VPS/services/tor-bridge.nix deleted file mode 100644 index e105311..0000000 --- a/machines/NixOS-VPS/services/tor-bridge.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, pkgs, lib, ... }: -let - inherit (import ../hardware/networks.nix) interfaces; - bridgeName = interfaces.main'.bridgeName; - obfs4Port = 18371; -in { - networking.firewall.interfaces.${bridgeName} = { - allowedTCPPorts = [ obfs4Port ]; - }; - - # We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt - # Fingerprint can be obtained from tor.service logs - services.tor = { - enable = true; - enableGeoIP = true; - client.enable = false; - relay.enable = true; - relay.role = "private-bridge"; - settings = { - BridgeDistribution = "none"; - BridgeRelay = true; - ContactInfo = "admin@ataraxiadev.com"; - ORPort = [ 17429 ]; - ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}"; - Nickname = "Ataraxia"; - }; - }; - - services.networkd-dispatcher = { - enable = true; - rules."restart-tor" = { - onState = [ "routable" "off" ]; - script = '' - #!${pkgs.runtimeShell} - if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then - echo "Restarting Tor ..." - systemctl restart tor - fi - exit 0 - ''; - }; - }; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/services/wireguard.nix b/machines/NixOS-VPS/services/wireguard.nix deleted file mode 100644 index b11ba4e..0000000 --- a/machines/NixOS-VPS/services/wireguard.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, lib, pkgs, ... }: -let - inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers; - wireguardIFName = interfaces.wireguard0.ifname; -in { - environment.systemPackages = [ pkgs.wireguard-tools ]; - - networking.firewall = { - allowedUDPPorts = [ wireguardPort ]; - checkReversePath = lib.mkForce false; - }; - - boot.kernelModules = [ "wireguard" ]; - systemd.network = { - wait-online.ignoredInterfaces = [ wireguardIFName ]; - - networks."90-${wireguardIFName}" = with interfaces.wireguard0; { - matchConfig.Name = wireguardIFName; - address = [ - "${IPv4.address}/16" - "${IPv6.address}/64" - ]; - DHCP = "no"; - networkConfig = { - IPForward = true; - IPMasquerade = "both"; - DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns; - }; - }; - - netdevs."90-${wireguardIFName}" = { - netdevConfig = { - Name = wireguardIFName; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = "/srv/wireguard/private"; - ListenPort = wireguardPort; - }; - wireguardPeers = [ - { - wireguardPeerConfig = with wireguardPeers.ataraxia; { - PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o="; - PresharedKeyFile = "/srv/wireguard/ataraxia/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.hypervisor; { - PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o="; - PresharedKeyFile = "/srv/wireguard/hypervisor/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.mikrotik; { - PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo="; - PresharedKeyFile = "/srv/wireguard/mikrotik/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.poco; { - PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34="; - PresharedKeyFile = "/srv/wireguard/poco/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.kpoxa; { - PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE="; - PresharedKeyFile = "/srv/wireguard/kpoxa/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.kpoxa2; { - PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI="; - PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss; { - PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY="; - PresharedKeyFile = "/srv/wireguard/faysss/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss2; { - PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8="; - PresharedKeyFile = "/srv/wireguard/faysss2/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.faysss3; { - PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4="; - PresharedKeyFile = "/srv/wireguard/faysss3/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.doste; { - PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0="; - PresharedKeyFile = "/srv/wireguard/doste/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.dell; { - PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc="; - PresharedKeyFile = "/srv/wireguard/dell/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - { - wireguardPeerConfig = with wireguardPeers.hypervisor-dns; { - PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc="; - PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared"; - AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ]; - }; - } - ]; - }; - }; -} diff --git a/machines/NixOS-VPS/services/xtls.nix b/machines/NixOS-VPS/services/xtls.nix deleted file mode 100644 index 0a161de..0000000 --- a/machines/NixOS-VPS/services/xtls.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, pkgs, lib, ... }: { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - virtualisation.oci-containers.containers = { - nextcloud = { - autoStart = true; - image = "docker.io/nextcloud:stable"; - ports = [ "9765:80" ]; - volumes = [ - "/srv/nextcloud/html:/var/www/html" - "/srv/nextcloud/config:/var/www/html/config" - "/srv/nextcloud/data:/var/www/html/data" - ]; - }; - x-ui = { - autoStart = true; - image = "ghcr.io/mhsanaei/3x-ui:v1.7.8"; - environment = { - XRAY_VMESS_AEAD_FORCED = "false"; - }; - extraOptions = [ "--network=host" ]; - volumes = [ - "/srv/x-ui/db:/etc/x-ui" - "/srv/x-ui/certs:/root/cert" - ]; - }; - nginx = { - autoStart = true; - image = "docker.io/nginx:latest"; - extraOptions = [ "--network=host" ]; - volumes = [ - "/srv/nginx/certs:/etc/ssl/certs:ro" - "/srv/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" - ]; - }; - }; - - systemd.tmpfiles.rules = [ - "d /srv/x-ui/db 0755 root root -" - "d /srv/x-ui/certs 0755 root root -" - "d /srv/nextcloud/html 0755 33 33 -" - "d /srv/nextcloud/config 0755 33 33 -" - "d /srv/nextcloud/data 0755 33 33 -" - ]; -} \ No newline at end of file diff --git a/machines/NixOS-VPS/system b/machines/NixOS-VPS/system deleted file mode 100644 index 9bdfd5f..0000000 --- a/machines/NixOS-VPS/system +++ /dev/null @@ -1 +0,0 @@ -x86_64-linux \ No newline at end of file